Another day, another challenge.
In today’s post, we will solve the first challenge of the flAWS CTF.
flAWS CTF explores misconfigurations, and gotchas in AWS.
Let’s get started.
NOTE: I will be using the AWS command line. Which you can download HERE.
Going to the URL, http://flaws.cloud/, we’re presented with:
Scrolling down we see:
From the little bit of information we have this level contains buckets, and we possibly need to view the contents.
In AWS, there is a service called S3 or Simple Storage Service which is used for storing items for the Internet. To store an item you will need to create a bucket (see how everything is starting to come together…). Once the bucket is created, you can add your items to it.
Opening a command prompt we can type the following command
aws s3 ls <s3 domain>
Let’s break down this command.
- We’re using the AWS command line (by typing aws)
- We’re specifying we want to access the s3 service
- We want to list the contents of said bucket (ls = listing)
- We’re specify the s3 domain we want to access
In this case we will type aws s3 ls s3://flaws.cloud
Below is the output:
Hmm… there’s a secret-dd02c7c.html file. Let’s see if we can access it.
Opening a web browser (I’m using Chrome) and entering the following URL: http://flaws.cloud/secret-dd02c7c.html, you should see:
Yay! We have solved the challenge, along with getting the URL for level 2.
Look out for another blog post where we solve that challenge.
Takeaway from the challenge –
For this level the bucket was public which means it’s accessible for EVERYONE. If there’s sensitive information that the world should not see, AWS allows for buckets to be private.
thefluffy007 